Review request: DNS server implementation

Adam Tauno Williams awilliam at
Tue Oct 12 07:18:08 MDT 2010

As an admin currently testing Samab4 alpha13 on CentOS as a potential
replacement for our Samba3 NT domain;  usually I just lurk here.

On Tue, 2010-10-12 at 15:00 +0200, Kai Blin wrote: 
> On 2010-10-12 14:09, simo wrote
> > In all seriousness, while I think it must be exciting to build new
> > things, I think we have to stop building new servers.
> I agree in principle, and this isn't a step I took lightly.
> > This NIH syndrome is destructive. Who is going to maintain this code in
> > the long run ? We can barely maintain the code we have, adding new
> > servers seem to me like begging for problems later on.
> So far, this is around thousand lines of code, about half of that is s4
> task and tsocket boilerplate.
> > What is wrong in building a BIND plugin and reducing the amount of work
> > to maintain to the minimum necessary for us ?
> Ah. I've got a list here.
> 1) Current BIND as shipped by distributions out there don't support
> Kerberos-signed updates the way Windows AD wants it.

Yep.  I had to build my own bind to get near-to-working.  Thank goodness
for VMware snapshots! :)

> 8) The configuration required is different for every distribution. The
> suggestions samba4 provisioning prints out doesn't work on Ubuntu, or
> openSUSE.

I'm still trying to get them to work on CentOS; but I'm in the early
stages so I can't cast blame yet.

> 10) Adding a BIND ldb plugin is possible, but so far there's no way a
> backend plugin can make decisions about who's allowed to do updates to
> what records from the way I understand the code. We could possibly add
> that, but that requires us to play "find the patch" again once we start
> getting this upstream. Also, I can't help to notice that the bind-ldap
> plug-in isn't maintained upstream but out-of-tree.

But the LDAP backend itself works well;  just postulating that you could
use bind and point it at your internal LDAP database (we've been using
Bind backed with LDAP for years - much easier to update LDAP than to
argue with Bind).

> All in all I'm not convinced that going the BIND route is less work,
> pain, or long term maintenance effort.

More information about the samba-technical mailing list